In 2017, an Android app called Virus Shield, claimed to scan mobile devices for malware, but in fact did nothing of the sort. In reality, running the app simply showed a progress bar, supposed to represent scan progress, followed by an announcement at the end of the “scan” that the device was free of malicious apps. Worryingly, the app had been available on the Google Play Store, and thousands of users had paid money for it (although this was ultimately refunded to them by Google).
This inspired AV-Comparatives to help owners of Android devices to distinguish between genuine, effective Android antivirus apps on the one hand, and dubious/ineffective ones on the other by testing the effectiveness of antimalware programs for Android.
The test showed that in addition to several apps that are equally ineffective at protecting the device against malware, there were other apps that employ dubious detection mechanisms. These detected most other installed apps as potentially harmful, excluding only those with white-listed package names. With user interfaces seemingly generated from a few templates, the main purpose of these apps seems to be generating easy revenue for their developers – rather than actually protecting their users.
Including these dubious apps, AV-Comparatives found the malware protection of almost 40% of the tested Android AV apps to be inappropriate. The company has again tested the effectiveness of antimalware programs for Android, in the 2019 Android Test.
For this test, they searched for and downloaded 250 antimalware security apps by various different developers from the Google Play Store.
Only 80 apps detected over 30% of malicious apps, and had zero false alarms. 138 vendors detected less than 30% of the Android malware samples, or had a relatively high false alarm rate on popular clean files from the Google Play Store.
AV-Comparatives considers those apps to be risky, that is to say, ineffective or unreliable. In some cases the apps are simply buggy, e.g. because they have poorly implemented a third-party engine. Others detect only a handful of very old Android malware samples, and allow any apps that contain certain strings, making them likely to pass some quick checks and thus be accepted by the app stores.
A number of the above apps have in the meantime already been detected either as Trojans, dubious/fake AVs, or at least as “potentially unwanted applications” (PUA) by several reputable mobile security apps. It is to be expected that Google will remove most of them from the Google Play Store in the coming months (and hopefully enhance their verification checks, thus blocking other such apps from the store). AV-Comparatives recommends the vendors concerned remove their apps from the store until they can provide genuine and reliable protection.
The antimalware apps of 32 other vendors have in the last two months been removed from the Play Store.
Most of the above apps, as well as the risky apps already mentioned, appear to have been developed either by amateur programmers or by software manufacturers that are not focused on the security business. Examples of the latter category are developers who make all kinds of apps, are in the advertisement/monetization business, or just want to have an Android protection app in their portfolio for publicity reasons.
The full list of apps in all categories can be seen here, and the full report can be downloaded here.